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(57) ABSTRACT 

A system installs and enables the use of a temporary 
certificate at a remote site. The system comprises a global 
seiwe^asitena|Lciiipj0raiy4eJient*sitc and a web site. The global 
server site includes a security module that identifies and 
authenticates the user at the temporary client site, and a web 
server engine that downloads a key generation download- 
able and a certificate request engine downloadable upon user 
authentication to the client site. The client site includes a 
web engine that executes the key generation downloadable 
to generate a public key and a private key, and executes the 
certificate request engine downloadable to send the a tem- 
porary certificate request (including the public key) to the 
global server site. A temporary certificate generator at the 
global server site generates a temporary certificate having 
the public key and a validity period. The web server on the 
global server site sends the temporary certificate and a 
certificate installation downloadable to the web engine on 
the client site, which executes the downloadable thereby 
installing the temporary certificate. The web server on the 
global server site can also send a certificate maintenance 
downloadable and a certificate de- installation downloadable 
to the client site. The web server engine maintains a revo- 
cation list that contains information identifying revoked 
temporary certificates, so that a revoked but thusfar unex- 
pired certificate cannot be improperly used. The web site 
reviews the temporary certificate for authenticity and con- 
tacts the global server site to review the revocation list and 
determine whether the temporary certificate has been 
revoked. 

44 Claims, 12 Drawing Sheets 
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SYSTEM AND METHOD FOR INSTALLING For completeness, a brief review of public/private key 

AND USING A TEMPORARY CERTIFICATE cryptography is provided. Mathematically, a public and 

AT A REMOTE SITE private key pair are generated to encrypt and decrypt mes- 
sages. That is, either key can be used to encrypt a message, 

PRIORITY REFERENCE(S) TO PRIOR ^ but only the other key of the key pair can be used to decrypt 

APPLICAnON(S) the message. The owner keeps the private key private, but 

This application claims priority of and hereby incorpo- allows everyone to know the public key. Accordingly, any- 

rates by reference U.S. patent application Ser, No. 08/766, one can encrypt a message using the public key, but only the 

307, entitled "System and Method for Globally Accessing owner can decrypt the message, because the owner is the 

Computer Services," filed on Dec. 13, 1996, by inventors iq ^^V one who knows the private key. Similarly, the owner 

Mark D. Riggins, et al; U.S. patent appUcation Ser, No. can encrypt a message using the private key, and thus 

08/841,950, entiUed "System and Method for Enabling everyone can use the public key to decrypt the message. A 

Secure Access to Services in a Computer Network", filed on ^ser that uses a public key to decrypt an encrypted message 

Apr. 8, 1997, by inventor Mark D. Riggins; U.S. patent can be sure that the message was encrypted by someone who 

application Ser. No. 08/865,075, entitled "System and 15 has the corresponding private key. So long as the private key 

Method for Using a Global Translator to Synchronize Work- ^ ^^P^ private, the user can be assured that the owner of the 

space Elements Across a Network," filed on May 29, 1997, P^vate key sent the message. If both parties to a commu- 

by inventors Daniel J. Mendez, et al; U.S. patent appHcation Dilation have piiblic/private-key^pairs, then each party can 

Ser. No. 08/835,997, entitled "System and Method for communicate privately witSlhc other by encrypting mes- 

Securely Synchronizing Multiple Copies of a Workspace 20 '^^S^s with the recipient's public key. 

Element in a Network," filed on Apr. 11, 1997, by inventors However, how can the sender be confident that they are 

Daniel J. Mendez, et al; U.S. patent application Ser. No. ^sing the correct public key for the recipient? Exchanging 

08/897,888, entiUed "System and Method for Synchronizing keys^personally _may be Jo^ inconvenient. Instead, both 

Electronic Mail Across a Network," filed on Jul. 22, 1997, .p:arUes-present4hciy)ubIi^ other identifying informa- 

by inventors Daniel J. Mendez, et al.; U.S. patent application 25 proof-of-'their-id entity-tor aimumally trusted certifi- 

Ser. No. 08/899,277, entitled "System and Method for Using cate authority. The ccr^ificate-ainhority^vcoMs the user's 

an Authentication Applet to Identify and Authenticate a User identity^4ssuesza:4)ublic-^^^ the 

in a Computer Network," filed on Jul. 23, 1997, by inventor user-s::p.^licdfce.y-aDdz^inguished_name. If both parties 

Marie D. Riggins; and U.S. patent application Ser. No. wish to communicate privately via web clients, then they 

8/903,118, entitled "System and Method for Globally and 30 may install their private keys and public key certificates in 

Securely Accessing Unified Information in a Computer their respective web clients. The certificate authority may 

Network," filed on Jul. 30, 1997, by inventors Daniel J. also issue certificates to identify web servers, showing that 

Mendez, et al. a given server name such as "www.briefcase.com*' was 

. ™^««r,vT,^ rr^^ ,^„^vTrw^^T issucd to Vlsto Corporatioo of Mountain View, Calif. 

BACKGROUND OF THE INVENTION u v * * . u u 

35 When a web client connects to a web server, the web 

1. Field of the Invention cHent and web server identify and authenticate each other 
This invention relates generally to computer networks, and negotiate a secure communications channel. For 

and more particularly provides a system and method for identification, both parties exchange public key certificates, 

installing a temporary certificate at a remote site. Accordingly, each party uses the public key of the certificate 

2. Description of the Background Art 40 authority to verify the signature of the other party's certifi- 
The Internet has become one of the most popular tools cate. As stated above, the public key certificate binds a 

used by businesses and individuals for obtaining services public key to a subject name (i.e., distinguished name) such 

and needed information. When a web client, e.g., a user as the client's name or server's name. The parties recognize 

operating a network browser, communicates via the Internet each other by the subject name included in the certificate. To 

with a web server (i.e., a web site), the web server recog- 45 authenticate this identity, each party proves to the other that 

nizes the web client based on information received in a they possess the private key associated with the public key 

certificate that was installed on the web client and that was included in the certificate. One method of authenticating, 

downloaded to the web server. The conventional certificate employed by Secure Sockets Layer (SSL) technology, 

identifies the user, provides information needed to establish includes the steps of choosing a random number and 

secure network communications between the client and the 50 encrypting it using the other party's public key. The 

server, and includes a signature from a certifying authority encrypted number is sent to the other party who decrypts it 

such as Verisign, Inc. of Mountain View, Calif, that provides and returns the decrypted value, thereby proving that they 

certificate integrity, authenticity and origin. possess the private key. 

More particularly, a user typically requests a certificate After authenticating each other's identity, both parties 

from a certifying authority, i.e., a third party mutually tmsted 55 exchange one or more symmetric keys used to encrypt the 

by the user and the web server. The user operates pre- bulk of their conamunications. "The SSL Protocol, Version 

installed software for generating a pubhc/private key pair, 3.0" by Netscape Communications Corporation., attached 

and sends a certificate request including the public key to the hereto and incorporated herein, describe additional details of 

certifying authority. The certifying authority verifies the a session-oriented protocol, such as how parties agree upon 

identity and any other information needed about the user, 60 cryptographic algorithm and what key length to use. 

packages the user's name, the public key, a validity period S/MIME by RSA Data Security and PEM encryption tech- 

and an assigned serial number together, and digitally signs niques illustrate example systems for sending individual 

the package, thereby creating a signed certificate. The cer- messages encrypted under symmetric keys communicated 

tifying authority then sends the signed certificate to the user, with pubhc key encryption and public key certificates, 

who installs the signed certificate and the private key 65 Conventional certificates do not solve all problems and 

associated with the packaged public key in one or more web concerns for the roaming user. For example, transporting a 

clients. private key to and installing the private key at every tern- 
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porary terminal used by the roaming user is unsafe because As a third alternative, the global server can generate a 

the private key may be stolen or hacked from the temporary self-certified limited certificate for the user, for installation 

terminal. Still further, sending an owner's private key over on the temporary client. A self-certified limited certificate is 

the Internet or reading it from a floppy disk or other storage a certificate derived from a traditional public key certificate 

media also pose substantial security risks. SmartCards such 5 and from its private key. The self-certified limited certificate 

as those made Litronic Inc. can be used to transport private has the same subject name (e.g., user identity), a different 

keys safely but are not widely deployed and are subject to public key and a validity period shorter than the traditional 

physical loss. Further, SmartCard readers are not available at validity period (e.g., between five and thirty minutes). A 

most kiosks. self-certified limited certificate is signed by the private key 

Therefore, a system and method for facilitating the use of associated with the traditional public key certificate. When 

public key certificates by the roaming user are needed. losing this alternative, the user's private key and traditional 

certificate are stored on the global server. The client gener- 

SUMMARY OF THE INVENTION ates a temporary public/private key pair and request for a 

« .J * r • * 11- -1 temporary certificate as before. When the client connects to 
The present mvention provides a system for mstalhng and ^ , ^. j*- i ^-c . j . 
, r * * •* 15 the web site, both the traditional certificate and the tempo- 
enabling the use of a temporary certificate at a remote site. ^ ™ * ,U > 11 
„ * .-ri ♦ f ^ u ' * u A u *u r^O' certificate are used. The certificate authonty s well- 
Temporary certificates can safely be mstalled because they , uv 1 ♦ J * r • ^ r .1. 

• _, , 1 J u *u 1 *u known public key is used to verify the signature of the 
expire quickly and can be revoked when the user leaves the . ^ c » -m, i • tT » j *- i 

. nn- 4 1 u 1 traditional certificate. The public key in the traditional 

remote site, liie system comprises a global server site, a * c « ■ j . r A. - ^ r . 

, , u •* 1 1. 1 certificate is used to verify the signature of the temporary 

temporary chent site and a web site. The global server site ^-^ * t-l l ... ,i. ^ 
' A 1 ,u i A ,u i i ^ certificate. Thus, a web site can accept the self-certified 

includes a secunty module that identifies and authenticates t- * j *-c * • i- r*L i ^ j-*- i -^-n 

* *u r ♦ A u • *i, ♦ umitcd certificate in licu of the long-term traditional certifi- 
the user at the chent site, and a web server engine that upon ^^^^ * 

user authentication downloads a key generation download- 
able and a certificate request engine downloadable to the Whether the temporary certificate is issued (i.e., signed) 
cUcnt site. It wiU be appreciated that the global server site global server, the third party certificate authority or 
may include its own certificate authority or may interact mdividual certificate holder, the user can install the 
with a third party certificate authority to establish client trust temporary certificate in the client site and can contact any 
and generate temporary certificates. ^^^^ ^^^^ recognizes the certifymg authority of the 
T, . 1- * ♦* • 1 J u • *u * certificate. The web site reviews the temporary certificate for 
The temporary chent site includes a web engine that j , . . £ . .i. ^ l- u ■ 
i J 1 J i_i * ^ authenticity and contacts the certificate authority, which m 
executes the key generation downloadable to generate a .u * ■ *u i u i * j * • u 

, J . f , • J * this instance is the global server site, to determine whether 

public and pnvate key pair, and that executes the certificate . * i. u t i 

* ' J 1 J i_i * J * * the temporary certificate has been revoked, 
request engine downloadable to send a temporary certificate 

request (including the public key) to the global server site. ^ claimed system comprises a server for receiving a 

The global server site further includes a temporary certifi- request for installation of a temporary certificate from a 
cate generator for generating a signed temporary certificate ,5 temporary client site, a temporary certificate generator 

having the public key, a short term validity period (e.g., coupled to the server for generating a temporary certificate 

expiration date and time), a subject name (e.g., user identity) with an expiration date and time, and a certificate installation 

and other information. The temporary certificate's validity downloadable coupled to the server for causing the client 

period is set to limit the useftilness of the temporary cer- ^^^^ to mstall the temporary certificate, 

tificate to a desired hfetime. This can be made arbitrarily A claimed method for installing and enabling use of a 

short if additional temporary certificates are generated and temporary certificate at a remote site comprises the steps of 

installed with extensions as needed. receiving from a temporary client site a request for instal- 

Upon request by the temporary client site, the web server lotion of a temporary certificate, generating a temporary 

on the global server site sends the temporary certificate and certificate with an expiration date and time, and delivering 
a certificate instaUation downloadable to the web engine on 45 the temporary certificate and a certificate installation down- 

the client site, which executes the downloadable, thereby loadable to the client site. 

installing the temporary certificate. The web server on the The system and method of the present invention advan- 

global server site can also send a certificate maintenance tageously enable a roaming user to securely install a tem- 

downloadable and a certificate de-installation downloadable porary certificate on a remote site, without transmitting a 
to the client site. The global server site (operating as the 50 private key across the computer network. A user need not 

certifying authority) may maintain a revocation list that maintain and port certificates for installation at the remote 

contains information identifying revoked temporary sites. The system and method may enable any web site that 

certificates, so that revoked but thus far unexpired oertifi- recognizes the certificate authority issuing the temporary 

cates cannot be used improperly. Since they are no longer certificate to identify and authenticate the user. The system 
valid, expired temporary certificates may be removed from 55 and method enable logging of temporary certificate usage, 

the revocation list. The system and method monitor for expired temporary 

Once the temporary certificate has been installed, the certificates. The system and method provide a simple tech- 

clicnt site can communicate with any web site that recog- enabling a web site to authenticate a temporary 

nizes the certificate authority, e.g., on the global server site. certificate and to determine whether a still current temporary 
As an alternative, the global server site may contact a third 60 certificate has been revoked. Further, the permanent private 

party certificate authority such as VeriSign, Inc. of Mountain key has not been compromised. 

View Calif . to sign the temporary certificate on behalf of the 3 j^j^p DESCRIPTION OF THE DRAWINGS 
global server site. As a second alternative, the third party 

certifying authority can vouch for the global server site, so FIG. 1 is a block diagram illiistrating a computer network 
that the global server site will be recognized as a certificate 65 in accordance with the present invention; 

authority. This is conventionally referred to as "certificate FIG. 2 is a block diagram illustrating details of a computer 

chaining." of FIG. 1; 
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FIG. 3 is a block diagram illustrating details of a tempo- includes a secure communications engine 180 for using 

rary certificate server of FIG. 1; public/private key cryptography to establish a secure com- 

FIG. 4A is a block diagram illustrating details of a municalions channel with other sites, such as with the global 

temporary certificate; ^"^^^ ^^^^H®-??'^°r'^^^n "^""^ f"" °° computer 

Jl^ ^1 . , .„ • J t r s network 155. The client 120 is referred to as "persistent 

FIG, 4B IS a block diagram illustraUng deuils of a request because the user repeatedly uses it, and thus considers it a 

for a temporary certificate; ^jq^^ permanent tool The web engine 135 is referred to as 

FIG. 5 is a flowchart illustrating a client method of ''configured" because a long-term certificate 160 and long- 
installing and using a temporary certificate in accordance term private key 165 (typically valid for a year term) have 
with the present invention; already been installed in the web engine 135 on the persis- 

FIG. 6 is a flowchart illustrating a global server method of lent client site 120. It will be appreciated that the long-term 

installing a temporary certificate in accordance with the certificate 160 and long-term private key 165 have been 

present invention; installed in the web engine 135 because the client is a 

FIG. 7 is a flowchart illustrating a method of generating persistent client site 120 A configured web engine 135 is 

a temporary certificate: 15 ^yv^^^^^y found on a user s desktop work computer, a user's 

^Ji . , , r . desktop home computer, a user's laptop computer, a user's 

FIG. 8 IS a flowchart illustraUng a method of managing ^^^^^^ information manager such as a PalmPilot™ devel- 

the temporary certificate of the presem invention; ^^^^ ^ ^ Robotics, Inc., etc, 

HG. 9 is a flowchart illustrating a method of examining ^^^^^ persistent client site 120 is configured, other 

a temporary certificate before performing a client request, in sj^es such as the web site 130 can identify the user of the 

accordance with the present invention; persistent client site 120, and both the web site 130 (via the 

FIG. 10 is a flowchart illustrating a method of reissuing a secure communications engine 147) and the persistent cUent 

temporary certificate; and site 120 (via the secure communications engine 180) can 

FIG. 11 is a flowchart illustrating a method of installing communicate securely without intervention by the global 

a self-certified Umited certificate; 25 server site 110. Upon generation of the secure communica- 

HG. 12 is a flowchart illustrating a method of using the channel, the web site engine 153 wiU download web 

self-certified limited certificate of HG. 11; and P^ge data 150 via the secure communications channel to the 

FIG. 13 is a block diagram illustrating a self-certified 8^'^^ >veb engine 135, which accordingly presents a 

V V 1 . * weo page (not snown). 

limited certificate. f ^ v . . . ■ 

30 The temporary chent site 125, such as a computer termi- 

DETAILED DESCRIPTION OF THE * conventional kiosk, includes an unconfigured web 

PREFERRED EMBODIMENT engine 140 and a secure commimications engine 185. The 

web engine 140 is referred to as "unconfigured" until a 

FIG. 1 is a block diagram illustrating a computer network user's certificate and private key are installed in the web 

100, in accordance with the present invention. The computer 35 engine 140 on the temporary client site 125. The temporary 

network 100 includes a global server site 110 coupled via a client site 125 is referred to as "temporary" because the 

computer network 155 (e.g., a local area network or the wide device is used infrequently or for a singe time and later used 

area network commonly referred to as the Internet) to a by others. Without a certificate or public key, other sites such 

persistent client site 120, to a temporary client site 125, to a as the web site 130 cannot identify the user by the afore- 

web site 130 and to a third party certificate authority 175. mentioned techniques described with respect to persistent 

The web site 130 represents an arbitrary server on the clients 120. The web site 130 may prohibit the temporary 

computer network 155 that provides data and/or services to client site 125 from obtaining its data 150 (including 

a client site, only after identifying and authenticating the services) until the temporary client site 125 is configured, 

client (e.g. a user) and/or the client site based on a public key Before the temporary client site 125 is configured, the 

certificate and a private key installed on a client site. As 45 secure communications engine 185 on the temporary cUent 

illustrated, the web site 130 provides data and/or services to site 125 uses SSL or PCT technology to establish a private 

the persistent client site 120 and to the temporary client site communications channel with the secure communications 

125. The web site 130 includes a secure communications engine 190 on the global server site 110. SSL authenticates 

engine 147 for using public^rivate key cryptography to the server using its public key certificate. However, the 

identify and authenticate a client and to establish a secure 50 identity of the user must be proven by some other means 

communications channel with a client site 120 or 125. The because no certificate and private key have been installed on 

web site 130 further includes a web site engine 153 for the temporary client site. After the temporary client site 125 

delivering web page data 150 to the connecting client site so is configured, the secure communications engine 185 on the 

that the client site 125 can present a web page (not shown) temporary client site 125 uses public/private key cryptog- 

and access the services of the web site 130. Web page data 55 raphy to establish a secure communications channel with 

150 may include text, images, program services, applets, other sites on the computer network 155, such as with the 

hypertext, etc. Upon generation of a secure communications web site 130 identifying the user by the installed temporary 

channel with a client site 120 or 125, the web site engine 153 certificate and private key. 

delivers web page data 150 via the secure communications The global server site 110 includes a temporary certificate 

channel to the connecting client site 120 or 125. Details of go server 115 for enabling the installation of a temporary 

authentication protocols using public key certificates are certificate (400, illustrated and described in greater detail 

discussed in an article entitled "The SSL Protocol, Version with reference to FIG. 4A) in the unconfigured web engine 

3.0" published by the Netscape Communications Corpora- 140 on the temporary client site 125. The temporary certifi- 

tion on Nov. 18. 1996, which is hereby incorporated by cate server 115 receives a temporary certificate installation 

reference. 65 request from the temporary client site 125, identifies and 

The persistent client site 120 includes a configured web authenticates the user at the temporary client site 125, and 

engine 135 for communicating with the web site 130, and accordingly delivers temporary certificate software (which 
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is described in greater detail with reference to FIG. 3) to the 235. With reference to the web site 130 (FIG. 1), an example 

temporary client site 125. The temporary client site 125 of data 240 includes web page data 150, and examples of 

executes the temporary certificate software, which initiates stored programs 245 or executing programs 250 include 

the generation of a public/private key pair and a temporary client identification engine 145 and secure communications 
certificate 400 and causes a temporary configuration of the 5 engine 147. An operating system 255 controls processing by 

unconfigured web engine 140. Generation of a temporary processor 205, and is typically stored in data storage 230 as 

certificate 400 is described in greater detail with reference to a stored program 245 and loaded into internal storage 235 as 

FIG. 7. Installation of the temporary certificate 400 is an executing program 250 for execution by processor 205. 

described in greater detail with reference to FIG. 5. Although the data 240, stored programs 245 and executing 

It will be appreciated that the global server site 110 programs 250 are being described as wholly stored at a 

includes a private key 119 for digitally signing messages, single location, one skilled in the art will recognize that 

including the temporary certificate 400, and includes a different portions of the data 240, stored programs 245 and 

global server certificate 117 associating the global server site executing programs 250 may be stored at different sites. 

110 with its well known public key. Although the global One skilled in the art will recognize that the computer 

server site 110 is being described as a certificate authority, system 200 may also include additional information, such as 

one skilled in the art will recognize that a third party network connections, additional memory, additional 

certificate authority 175 such as VeriSign, Inc. of Mountain processors, LANs, input/output lines for transferring infor- 

View, Cahf. may sign the temporary certificate 400 on behalf mation across a hardware channel, the Internet or an 

of the global server site 110 (via a request from the global intranet, etc. One skilled in the art will also recognize that 

server site 110). As a second alternative, the third parly the programs and data may be received by and stored in the 

certifying authority 175 can vouch for the global server site system in alternative ways. For example, a computer- 

110, so that the global server site 110 will be recognized as readable storage medium (CRSM) reader 260 such as a 

an approved certificate authority, which is conventionally magnetic disk drive, hard disk drive, magneto -optical reader, 

referred to as "certificate chaining." CPU, etc. may be coupled to the communications channel 

As a third alternative, the global server site 110 can 210 for reading from a computer-readable storage medium 

generate a self-certified limited certificate for the user, for (CRSM) 265 such as a magnetic disk, a hard disk, a 

installation on the temporary client site 125. A self-certified magneto-optical disk, RAM, etc. Accordingly, the computer 

limited certificate is a certificate derived from a traditional system 200 may receive programs and data via the CRSM 

public key certificate (such as certificate 160) and from its reader 260. 

associated private key (such as private key 165). The self- 3Q FIG. 3 is a block diagram illustrating details of the 

certified limited certificate has the same identity (i.e., subject temporary certificate server 115. The temporary certificate 

name), a different public key and a shorter validity period. server 115 includes a web server engine 303, a security 

A self-certified limited certificate is signed by the private module 305, a database of users 310, a key generation 

key associated with the traditional public key certificate. An downloadable 315, a certificate request engine download- 
example self-certified limited certificate is illustrated in FIG. 35 able 320, a temporary certificate generator 325, a certificate 

13. When using this alternative, the user's private key and installation downloadable 330, a revocation list 335, a 

traditional certificate are stored on the global server site 110. certificate maintenance Downloadable 340 and a certificate 

The certificate authority's well-known public key is used to de-installation Downloadable 345. A Downloadable is any 

verify the certifying authority of the traditional certificate. program code that is downloaded from a remote site tbat can 

The public key in the traditional certificate is used to verify be executed or interpreted on a local site. Examples of 

the signature on the temporary certificate 400. Limited Downloadables include applets for use in the Java'^" dis- 

certificate generation Ls described in greater detail with tributed environment developed by Sun Microsystems, Inc., 

reference to FIG. 11. A web site 130 can accept the self- ActiveX"^" control for use in the ActiveX™ distributed 

certified limited certificate in lieu of the individual certifi- environment developed by the Microsoft Corporation, 
cate. Use of a limited certificate is described in greater detail 45 plugins, etc. 

with reference to FIG. 12. The web server engine 303 receives and responds to 

Whether the temporary certificate 400 is issued (i.e., requests from connecting clients, acting as the application 

signed) by the global server site 110, the third party certifi- program interface with the clients. Operation of the web 

cate authority 175 or the individual certificate holder, the server engine 303 will be described in greater detail with 
user can install the temporary certificate 400 in the client site 50 reference to the modules below. 

and can contact any web site that recognizes the certifying After the secure communications engine 185 on the 

authority of the temporary certificate 400. temporary client site 125 establishes a private channel with 

FIG. 2 is a block diagram illustrating a computer system the secure communications engine 190 on the global server 
200 which exemplifies the global server site 110, the per- site 110, the temporary client site 125 sends a request for 
sistent client site 120, the temporary client site 125, the third 55 temporary configuration to the web server engine 303. The 
party certificate authority 175 and the web site 130, The global server site 110 receives the request. Accordingly, the 
computer system 200 includes a processor 205, such as an security module 305 examines security information such as 
Intel Pentium® microprocessor or a Motorola Power PC® a login and password, a response to a challenge, a time- 
microprocessor, coupled to a communications channel 210. synchronous currently displayed key on an authentication 
The computer system 200 further includes an input device 60 token such as a secure ID card by Security Dynamics, etc. 
215 such as a keyboard and mouse, an output device 220 to confirm the privileges of the connecting temporary client 
such as a Cathode Ray Tube (CRT) display, a communica- site 125 to access the contents and functionality of the global 
tions interface 225, data storage 230 such as a magnetic disk, server site 110, and more particularly to access the contents 
and internal storage 235 such as Random-Access Memory and functionality of the temporary certificate server 115. The 
(RAM), each coupled to the communications channel 210. 65 security information, including identification and authenti- 

The data storage 125 stores data 240 and stored programs cation information, distinguished name and usage log for 

245. The internal storage 235 stores executing programs each privileged user, is contained in the database of users 
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310. For the third alternative, the traditional certificate and The temporary certificate generator 325 digitally signs the 

private key may also be stored in the database of users 310. envelope, thereby generating the signed temporary certifi- 

Upon confirming user privileges, the web server engine cate 400. FIG. 4Ais a block diagram illustrating an example 

303 responds to a request for temporary configuration. An temporary certificate 400, which includes a public key 405, 

example request 450 is illustrated in FIG. 4B. Upon request s a subject name 410, a validity period 415, a serial number 

from the temporary client site 125, the web server engine 420 and a global server signature 425. Although not shown, 

303 downloads global server web page data including the the certificate 400 may include other information such as 

key generation downloadable 315, the certificate request that used by certificates complying with the X.500 Version 

engine Downloadable 320, the certificate installation down- 3.0 in CQTT, Recommendation X.509: "The Directory — 

loadable 330, the certificate maintenance downloadable 340 Authentication Framework" 1988 by J. Postel and J. Rey- 

and the certificate de-installation downloadable 345 to the nolds cited on page 57 of the incorporated reference entitled 

temporary client site 125. Requesting and downloading "The SSL Protocol, Version 3.0. Referring again to FIG. 3, 

Downloadables are described in greater detail with reference it will be appreciated that the temporary certificate generator 

to FIG. 6. The Downloadables are described in greater detail 325 may use the global server's private key 119 to digitally 

below. j5 sign the envelope. It will be further appreciated that the 

The key generation downloadable 315 includes code for temporary certificate generator 325 may use a Public Key 

causing a web engine, e.g., the unconfigured web engine Certificate Standard (PKCS), such as PKCS-7, and may use 

140, to generate a public/private key pair. The key genera- the Abstract Syntax Notation {ASH) distinguished coding 

tion downloadable 315 may include an applet for use in the practices. The temporary certificate generator 325 forwards 

Java^" distributed environment developed by Sun 20 signed temporary certificate 400 to the requesting client. 

Microsystems, Inc., an Active™ control for use in the The certificate installation downloadable 330 includes 

ActiveX'''^ distributed environment developed by the code for causing a web client, such as web engine 140, to 

Microsoft Corporation, a plugin, etc. Considerable process- install the temporary certificate 400 so that the web engine 

ing time is needed to generate public and private key pairs. 140 will provide a temporary certificate 400 to all confirmed 

It will be appreciated that, since the key pair is usefiil only 25 requesting parties. The certificate installation downloadable 

for the life of the temporary certificate 400, a shorter key 330 includes an Application Program Interface (API) for 

length may be used in comparison to certificates that must be communicating with the particular web engine 140. For 

valid for longer time spans. The unconfigured web engine example, if the web engine 140 includes the Netscape 

140 on the temporary client site 125 executes the key Navigator™ web browser developed by the Netscape 

generation Downloadable 315. Accordingly, the key genera- 30 Corporation, then an API for communicating with the 

tion downloadable 315 generates temporary public and Netscape Navigator''^*' web browser is needed. If the client 

private keys for the temporary client site 125. It will be supports a SmartCard reader, the API may install a virtual 

appreciated that, since the system 100 transmits only a key SmartCard driver and may install the certificate virtually on 

generation downloadable 315 and not a private key across the driver. Now the temporary client site 125 is temporarily 

the computer network 155, the system 100 does not com- 35 configured and can operate without further interaction with 

promise the private key by network transfer. Although key the global server site 110 for the duration of the temporary 

generation is preferably performed on the temporary cHent certificate 400. 

site 125, key generation may be performed on the global The certificate maintenance downloadable 340 includes 

server site 110 and downloaded to the temporary client site code for causing the temporary client site to monitor the 

125 protected by some security means such as a password or 40 validity period of the temporary certificate 400 for expira- 

SSL session. tion. Monitoring current time may include communicating 

The certificate request engine downloadable 320 includes with an atomic clock on the global server site 110 or may 
code for causing a web client, e.g., web engine 140, to include adjusting for time variations between the temporary 
request the global server site 110 to generate a temporary client site 125 and the global server site 110. Just prior to 
certificate 400. The unconfigured web client 140 on the 45 expiration of the temporary certificate 400, the certificate 
temporary client site 125 executes the certificate request maintenance downloadable 340 re-requests identification 
engine Downloadable 320. The certificate request engine and authentication information from the user. Upon confir- 
DownloadabLe 320 packages all information needed includ- mation of user identification and authentication, the tempo- 
ing the public key generated by the key generation down- rary certificate generator 325 reissues a new temporary 
loadable 315 and a requested duration into the certificate 50 certificate 400 which may require re-generation of a new 
request, and forwards the request to the temporary certificate public/private key pair, etc. or just updating the startVend 
generator 325 for temporary certificate generation. FIG. 4B time 415 to extend the validity period. It will be appreciated 
is a block diagram illustrating a certificate request 450. The that to maintain a temporary certificate, the user may be 
request 450 includes a temporary public key 405, a requested to hit a "Continue?" pop -up button and input of 
requested duration 460 and a signature 465. The signature ss identification and authentication information. The certificate 
465 proves that the requester has the temporary private key installation downloadable 330 installs the reissued tempo- 
associated with the temporary public key in the request 450. rary certificate 400 in the web engine 140. 

The temporary certificate generator 325 packages the The certificate de -installation downloadable 345 includes 

public key, the subject name such as the distinguished name code for causing a the web engine 140 to de -install a 

of the client stored in the database of users, a validity period 60 temporary certificate 400 after the user has finished with the 

(e.g., a start and end time), issuer name and other informa- temporary client site 125. The certificate de-installation 

tion into an envelope. The validity period will be restricted downloadable 345 removes the temporary certificate 400 

to begin no earher than a universal ciurent time on the global and the private key from the web engine 140, and sends the 

server site 110 and to have a maximum duration possibly set certificate 400 or at least the serial number 420 of the 

by the user. The maximum duration should be short, for 65 certificate 400 to the certificate authority maintaining the 

example, 24 hours, one week, two weeks, etc. but should not revocation list 335, which contains information identifying 

exceed the traditional validity term of one year. aU unexpired temporary certificates 400 to be considered no 
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longer valid, in this embodiment, the certifying authority is ured web engine 140 in step 545 executes the certificate 

the global server site 110, and thus the information is sent to installation downloadable 330, which in step 550 installs the 

the web server engine 303. He web server engine 303 stores temporary certificate 400 and the previously generated pri- 

the certificate 400 or serial number 420 in the revocation list vale key in the unconfigured web engine 140, thereby 

335. If the certifying authority is a third party certificate s creating a temporarily configured web engine 140. The web 

authority 175, revocation of a temporary certificate 400 is e„gi„e 140 step 553 downloads the certificate mainte- 

communicated to the third party certificate authonty 175 j^^^^ downloadable 340 and the certificate de-installaUon 

(possibly via the global server site 110) so that a proper Downloadable 345. It will be appreciated that all these 

revocation list 335 can be mamtamed at that third party ^^ downloadables may be combined into a single 

certificate authonty 175 If the temporary cerUficate is a d„^„i„,ded program module. The secure communications 

self-certified limited certificate (see FIGS. 10-13), then the ^ ^5 temporary client site 125 in step 555 sends 

revocation fist may be managed by the certificate authonty ^ ( ^i^^^ ^j,^ ^^^^^ ^^annel with the secure com- 

issuing the long-term certificate. munications engine 190 on the global server site 110. 

A web site 130 that was contacted by a client 125 using , r . . ■ -.An 
a temporary certificate 400 asks the web server engine 303 . Accordingly, the temporardy <»nfigi^^ 
. J t J *c . i-.-»-i*r • -'^ in Step 560 executes the certificate maintenance Download- 
to download the certincale revocation hst 335. By reviewing i_i j * ^-n . j • . i 

r .t, u i^n ' •C4U able 340 and tises the temporary certificate and pnvate key 

the revocation list 335, the web site 130 can determine if the . • » -.u u i^-.u a • »* 

_* c 4 Ann u J u I J u to communicatc With wcb sitcs 130. Either aftcf expiratioH 

temporary certificate 400 bemg used has already been r . £ . ■ . c » 

revoked. For efBciency, the web ^te 130 may only download °^ '''^'J^ °' "P°° "^f^^ \ "^^.f 

i-^a^c f*u *• ^^ 4 *u 1 ui asynchronous logout request, the wcb engine 140 in Step 565 

a revocation hst 335 if the revocation list 335 on the global . xl .-n \ J • . n i> i j li 

server site 110 has been updated since the last download. cerUficate de-mstallation Downloadable 

After a temporary certificate 400 expires, the web server ^"'^^y. .'•'-.f f""*? temporary certificate. It wiU be 

lAt * 4U 4- 1- . -ii* appreciated that expiration of the temporary certificate and 

engine 303 may remove it from the revocation list 335. - , c i » . n i. ■ j u 

n ^fi^^AA-ii ■/ receipt of a user logout request will be recogmzed by the 

Because the temporary certificates 400 quickly expire (e.g., •* t^ iji-ii_- 

^ • . j'^/.u \ 1 J i- certincate maintenance Downloadable being executed by 

between five minutes and 24 hours) and are removed from o« , ^ . • 11* .i. j 

^. X- V X -t-iff • X- 1- . the temporarily configured web engme 140. Method 500 

the revocation hst 335 upon expiration, the revocation hsts ih h 

335 will not become very long. 

FIG. 5 is a flowchart iUustrating a client method 500 for ^ ' /""^'Ln "^"^ "''^''f for installing a 
generating, installing and using a temporary certificate 400 ^^^P^rary certificate 400 in an unconfigured web engine 140 
at the temporary cUent site 125. Method 500 begins by the 30 ^ ^^^^dajice with the presem invenUon. Method 600 
temporary client site 125 in step 505 creating a private commumcations engine 310 in step 
channel with the global server site 110. Creating a private accepting a secure channel request from the connecUng 
channel may include using SSL or PCX technology. In ^ |!^^ secure a)mmumcations engine 185 of the 
response to a request by the security module 305 of the temporary cUent site 125. TTie secunty module 305 m step 
global server site 110, the unconfigured web engine 140 in 35 identifies and authenUcates the chent at the temporary 
step 510 delivers identification and authentication informa- ^'^f 125 possibly by requesting logm and password 
tion to the global server site 110, possibly, by requesting information or by requcstmg a response to a challenge, 
login and password information from a user or by requesting ^P^^ identification and authentication, the web server 
a response to a challenge from a user having a hand-held engine 303 in step 615 accepts a request from the uncon- 
authentication token such as AuthentiCard™ authentication 40 figured web engine 140 on the temporary client site 125. In 
token developed by Vasco Cbrporation of Lombard, HI. or step 620, the web server engine 303 determines if the request 
by entering the number currently displayed on time- includes a request for a Downloadable. If so, then the web 
synchronized identification and authentication system such server engine 303 in step 625 retrieves the requested item 
as SecurelD from Security Dynamics, and forwarding the downloads it to the unconfigured web engine 140. 
information or response to Ihe security module 305. It wiU 45 Method 600 then returns to step 615. The Downloadable 
be appreciated that because of the global server certificate include the key generation downloadable 315, the 
117 on the global server site 110, the temporary client site certificate request engine Downloadable 320, the certificate 
125 can strongly identify the global server site 110. installation Downloadable 330, the certificate maintenance 
However, the global server site 110 cannot yet identify the Downloadable 340, the certificate de-installation Download- 
currently unconfigured temporary client site 125. 50 ^^^^ °^ combinations of the above. 

Upon identification and authentication, the imconfigured If the request received is not a request for a 

web engine 140 in step 515 downloads and in step 520 Downloadable, then the web server engine 303 in step 630 

executes a key generation downloadable 315 from the global determines whether the request included a request for tem- 

server site 110. The key generation downloadable 315 in porary certificate generation. If so, then the temporary 

step 523 generates a public/private key pair. The unconfig- 55 certificate generator 325 in step 635 generates a temporary 

ured web engine in step 525 downloads and in step 530 certificate 400 by packaging the necessary information from 

executes a certificate request engine downloadable 320 from the request 450 and from the database of users 310 into a 

the global server site 110. The certificate request engine container and signing the container, as described in greater 

downloadable 320 in step 535 sends a certificate request 450 detail above with reference to FIG. 4A and below with 

having the public key generated by the key generation 60 reference to FIG. 7. The web server engine 303 in step 640 

downloadable 315 to the temporary certificate generator 325 downloads the temporary certificate 400 to the unconfigured 

of the global server site 110. An example certificate request web engine 140, and returns to step 615. 

450 is shown in FIG. 4B. If the request was not a request for temporary certificate 

The unconfigured web engine 140 in step 540 downloads generation, then the web server engine 303 in step 645 

from the global server site 110 a certificate installation 65 determines if the request includes a request to close the 

downloadable 330 and a temporary certificate 400 generated secure channel. If so, then the secure communications 

by the temporary certificate generator 325. The unconfig- engine 190 in step 650 closes the channel, and method 600 
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then ends. Otherwise, the web server engine 303 in step 647 Step 840 may include executing the certificate installation 

determines if the request includes some other recognizable Downloadable 330 (step 540, FIG. 5), installing the certifi- 

requcst. If recognized, then the web server engine 303 in cale (step 550, FIG. 5), and closing the secure channel (step 

step 648 performs the request and returns to step 615. If 555, FIG. 5). If the certificate re-issue request is not granted, 

unrecognized, the web server engine 303 in step 649 rejects $ the method 800 jumps to step 855. 

the request and returns to step 615. If the temporary certificate 400 has not almost expired, 

FIG. 7 is a flowchart illustrating details of a method 635 then the certificate maintenance Downloadable in step 820 

for generating a temporary certificate 400, as illustrated in waits. The certificate maintenance Downloadable 340 in 

FIG. 4A. Method 635 begins with the temporary certificate step 845 determines if the user is done with the session. If 

generator 325 in step 705 retrieving the pubUc key 405 from iq not, then the method 800 returns to step 815. Otherwise, the 

the temporary certificate generation request 450. The tem- certificate maintenance Downloadable 340 in step 850 adds 

porary certificate generator 325 in step 710 appends the the temporary certificate 400 to the revocation list 335 and 

subject name 410, retrieved from the database of users 310, proceeds to step 855. 

to the public key 405. The temporary certificate generator FIG. 9 is a flowchart illustrating a web site method 900 for 

325 in step 715 assigns and appends a start time 415 based ^5 examining a temporary certificate 400 before authorizing 

on the current time, and in step 720 assigns and appends an performance of a client request, in accordance with the 

end time 415 based on the user-selected duration 460 and on present invention. Method 900 begins with the secure com- 

previously configured validity period limits (not shown). munications engine 147 on the web site 130 in step 905 

The temporary certificate generator 325 in step 725 assigns receiving a temporary certificate 400. The secure commu- 

and appends a serial number 420 to the public key 405. The 20 i^i^^^ions engine 147 in step 915 verifies the validity of the 

temporary certificate generator 325 in step 730 appends the certificate 400. Verifying the validity of a temporary certifi- 

signature 425 certifying the authenticity of the above items. ^ate is illustrated in FIG. 13. If the secure communications 

It will be appreciated that appending the certifying signature engine 147 in step 915 determines that the temporary 

425 may include using the global server private key 119 to certificate 400 is invalid, then the secure communications 

sign the package. One skilled in the art wiU recognize that 25 ^^^sine 147 in step 917 informs the user of the failure, 

the temporary certificate 400 may contain other data items. Method 900 then ends. 

and may comply with the X.500 standard. Method 635 then If the secure communications engine 147 in step 915 

ends. determines that the certificate 400 is valid, then the secure 

FIG, 8 is a flowchart illustrating a client method 800 for communications engine 147 in step 920 identifies and 

managing a temporary certificate 400 in accordance with the 30 authenticates the client. If the secure communications 

present invention. Method 800 begins with the certificate engine 147 in step 925 does not authenUcate the client, then 

maintenance Downloadable 340 operating on the client 125 the method jumps to step 917. Otherwise, the web site 

in step 810 examining the temporary certificate 400. The engine 153 in step 930 accepts requests from the client site 

certificate maintenance Downloadable 340 in step 815 moni- 1^5. 

tors the start/end time 415, i.e., the validity period, of the 35 The web site engine 153 in step 935 determines whether, 

temporary certificate 400 to determine whether it has almost based on the valid certificate 400, the client on the client site 

expired. For example, a temporary certificate 400 has almost 125 is authorized to have the request performed. If the client 

expired when it is within a predetermined time period (e.g., is not authorized, then the web site engine 153 in step 940 

30 seconds) from the end time 415. informs the client of the failure and method 900 returns to 

If the certificate maintenance Downloadable has deter- 40 step 930. If the client is authorized, then the web site engine 

mined that the temporary certificate 400 has almost expired, 153 in step 945 performs the request, e.g., provides the 

the certificate maintenance downloadable 340 in step 825 necessary web page data 150 or results to the client site 125. 

determines whether the user is done with the session. The secure communications engine 147 determines whether 

preferably, by asking the user. If the user is done, then the to end the session. Determining whether to end the session 

certificate maintenance Downloadable 345 in step 855 45 is similar to method 800 described with reference to FIG. 8. 

de-installs the temporary certificate 400 and method 800 That is, the secure communications engine 147 determines 

ends. If the user is not done, then the certificate maintenance if the temporary certificate 400 has expired or whether the 

Downloadable 340 in step 835 requests a new or re-issued user has logged out. Monitoring the current time to deter- 

temporary certificate 400 from the global server site 110. mine if the temporary certificate 400 has expired may 

Requesting a re-issued temporary certificate is similar to SO include communicating with an atomic clock on the global 

requesting an original temporary certificate 400. However. server site UO. If ending the session, method 900 ends, 

the Downloadables need not be downloaded again. That is, Otherwise, method 900 then returns to step 930. 

a request will look like request 450 (FIG. 4B), and step 835 FIG. 10 is a flowchart illustrating a method 1000 of 

may include creating a secure channel with the global server re-issuing a temporary certificate 400. Method 1000 begins 

no (step 505, FIG. 5), transmitting identification and 55 with the temporary certificate server 115 in step 1010 

authentication information to the global server 110 (step receiving a request for extension. The temporary certificate 

510, FIG. 5), executing the certificate request engine Down- server 115 in step 1020 re-identifies and re-authenticates the 

loadable 320 (step 530, FIG. 5), and sending the certificate client, and in step 1030 determines whether to accept the 

request to the global server 110 (step 535, FIG. 5). For request. Determining whether to accept the certificate 

housekeeping and other purposes, the certificate request 60 re-issue request may include determining whether the user 

engine Downloadable 320 may also send the original tem- has configured the temporary certificate server 115 to allow 

porary certificate 400 to the global server 110. Generating a updates, determining whether the frequency of updates is 

re-issued certificate is discussed in greater detail with ref- within user-selected or predetermined hmits, determining 

erence to FIG. 10. If the global server site 110 in step 837 whether the duration requested is within user-selected or 

grants the request, the certificate maintenance Download- 65 predetermined limits, etc. 

able 340 in step 840 installs the new or re-issued temporary If the request is denied, the temporary certificate server 

certificate 400, and method 800 then returns to step 815. 115 in step 1040 informs the client, and method 1000 ends. 
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If the request is accepted, then the temporary certificate public key in the long-term certificate 1315 to verify the 

server 115 in step 1050 generates a re-issued temporary signature of the temporary certificate 1300. If in step 1243 

certificate (same subject name, same public key, same serial the secure communications engine 147 determines that the 

number, different validity period, different global server signature does not verify, then method 915 returns to step 
signature) and in step 1060 downloads the re-issued certifi- $ 1215. Otherwise, the secure communications engine 147 in 

cate to the client site 125 for installation. It will be appre- step 1245 determines whether the validity period 1310 of the 

ciated that, if re-issuing a temporary certificate is not selfcerUfied limited certificate 1300 is within the validity 

available, then re-generating a temporary cerUficate would (^^^ ^^^^^^ long-term certificate 1315. If not, 

be necessary (which may iriclude regenera mg a new pubic ^^^^ ^^^^^ ^^^^^ ^^5_ 

so, then the secure 

and pnva c key pair. etcO-Melhod 1000 then c^^^ communications engine 147 in step 1250 determines 

• "^u ^r^*? i^*" ?^ whether the self-certified certificate 1300 and long-term 

installmg a self-certified limited certificate, as illustrated in ^^^tia^^t^ u,,,^ o„k;«^« ^^tu^A 01 c 

nr- -fi .1. J -«-«AA u .1- * ♦ certincate have the same subject. If not, then the method 915 

FIG. 13. Method 1100 begins with the temporary certificate , ♦ * i-^ie aa.u • *u • 

server 115 in step 1105 fccepting a request to generate a '^^'"^ 1° '^^.^P ^^IS. Otherwise the secure a)mmumcations 

temporary certificate 400. The temporary certificate server '^"S^"^;" ^^^P ^l^.^n?i?'°'if certificate 1300, and 

115 in step mo appends the short-term public key 405 proceeds to step 920 (FIG. 9). 

received in the request 450 and client identifying items (e.g.. If the secure communications engine 147 in step 1205 

subject name 410) retrieved from the database of users 310 determines that the received temporary certificate 400 or 

into a package. The temporary certificate server 115 in step 1300 is not a limited certificate 1300, then the secure 

1115 appends validity period information (e.g., start/end communications engine 147 in step 1260 performs oonven- 
time 415) based on the duration 460 in the request 450, the 20 tional certificate verification techniques, and in step 1265 

validity period of the long-term certificate and prcdetcr- determines whether the certificate 400 has been authenti- 

mined limits into the package. For identification purposes, cated. If so, then method 915 proceeds to step 920 (FIG. 9). 

the temporary certificate server 115 in step 1120 assigns a if not, then method 915 proceeds to step 917 (FIG. 9). 

serial number 420 and appends it into the package. The in,*: ^ ♦ e *u e ^ uj 

temporary certificate server 115 in step 1125 retrieves the 25 ^ovogomg descnpUon of the preferred embodiments 

long-term public certificate (such ascertificate 160) associ- of the present mvenUon is by way of example only and o^^^ 

ated with the requesting user from the database of users 310, variations and modifications of the above-descnbed embodi- 

and appends the long-term certificate into the package. The "^^^^s and methods are possible m hght of the foregoing 

temporary certificate server U5 in step 1130 retrieves the teaching. Although the network sites are being described as 
long-term private key (such as private key 165) associated 30 separate and distinct sites, one skilled in the art will recog- 

with the long-term certificate fi:om the database of users 310, ^^^^ ^^^e sites may be a part of an integral site, may 

and uses the private key to generate a signature for the items ^^"^^ '^^^^"^^^ portions of multiple sites, or may include 

appended the package. The temporary certificate server 115 combmations of single and multiple sites. Although the 

in step 1135 appends the signature to the package, and certificate installation, maintenance, etc. software have been 

method 1100 ends described as Downloadables, one skilled in the art will be 

FIG. 12 is a flowchart illustrating a method for verifying 'T*^ these modides may be a part of a web engine on 

the authenticity, integrity and origin of a temporary certifi- temporary client Further, components of this invention 

cate 400, including a self-certified limited certificate. "l"? ^ implemented usmg a programmed general purpose 

Method 915 begins with tlie secure communications engine ^]&^^ computer, using application specific mtegrated 

147 on the web site 130 in step 1205 determining whether 40 °' "^"^ * network of mtercomiected conventional 

the temporary certificate 400 (FIG. 4A) or 1300 (FIG. 13) is components and circuits ConnecUons may be wired, 

a self-certified Umiled certificate 1300. If so, then the secure "^^f*?' Alttiough the system of the present 

communications engine 147 in step 1210 determines mvejition is bemg described with reference to an atomic 

whether it recognizes the certificate authority signing the °» ^'^f *f f y such as 
appended long-tenn certificate 1315. If unrecognized, then 45 ^ V'S- Navy Master Clodc may alternatively be accessed, 

the secure communications engine 147 in step 1215 deter- Tte invention will still operate without an atomic clock 

mines that the temporary certificate 1300 is invaUd, and ^l"!"^ using larger validity penods and depending more on 

method 915 proceeds to step 917 (FIG. 9). revocation lists. Although we have descnbed the present 

rr Jc . -4 • • J ii_ invention for SSL, PCX and other session-onented 

If the certificate authority is recognized, then the secure 4 i ^ l • u -i j 4 j 4 

. • ^a4 - . ^'xi . protocols, the techniques can be easily adapted to non- 
communications engme 147 in step 1220 uses the certificate 50 , 1 u C^fUMI-KAl- J O/riAV I. u 

..I- * 11 1 1 * r *!. ♦ * f session protocols such as S/MIME and S/PAY which use 

authontys well-known public key to verify the signature of uvi -rv, u a- .a uju 

. J ji . : -fus -nu public key certificates. The embodiments descnbed herem 

the appended long-term certificate 1315. The secure com- ^ « • * j j ♦ u u r m- t-u 

♦ . JI . • 1. *L are not intended to be exhaustive or limiting. The present 

municatioiK engjne 147 m step 1225 determm« whether the ^^^^^^^^ ^ ^^^^^ ^ 

Signature of the long-term certificate 1315 has been verified. What is claimed is* 

If not, then method 915 returns to step 1215 Otherwise, the 55 ^ ^ c^m^uur-based method for instaUing a temporary 

secure communications engine 147 in Step 1230 determmes ♦♦<; , r * s ,t. ♦ c 

, ^ ^-ne . • J « * certificate on a client site, comprismg the steps of: 

whether the long-term certificate 1315 has expired. If not, » i- & r 

then method 915 returns to step 1215. Otherwise, the secure receivin g a public key from a client site; 

communications engine 147 in step 1235 determines generadHpatcmporaxyAccTtifieatef^tSSmngi 

whether the long-term certificate 1315 has been revoked. 60 ^ validity period; and 

Determining long-term certificate revocation typically delivering the temporary certificate and a certificate 

includes downloading a long-term certificate revocation list installation downloadable to the client site, thereby 

(not shown) from the certificate authority signing the long- enabling instalhng of the certificate on the client site 

term certificate 1315. If revoked, then method 915 returns to without requiring network transfer of a client private 

step 1215. 65 key. 

If verified, imexpired and unrevoked, then the secure 2. The method of claim 1, wherein the client site is 

communications engine 147 in step 1240 uses the long-term unconfigured. 
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3. The method of claim 1, wherein the certificate instal- 
lation downloadable includes code for causing the client site 
to install the temporary certificate in a web engine. 

4. The method of claim 3, wherein the certificate instal- 
lation downloadable includes an application program inter- 
face for communicating with the web engine. 

5. The method of claim 1, further comprising the step of 
identifying and authenticating the user at the client site 
before generating the temporary certificate. 

6. The method of claim 1, further comprising the step of 
establishing a secure channel with the client site before 
downloading the temporary certificate. 

7. The method of claim 1, further comprising the step of 
forwarding to the client site a key generation downloadable 
for causing the client site to generate the public key and an 
associated private key. 

8. The method of claim 7, further comprising the step of 
receiving a validity period duration request. 

9. The method of claim 8, wherein the temporary certifi- 
cate is a self-certified limited certificate. 

10. The method of claim 8, further comprising the step of 
digitally signing the temporary certificate. 

11. The method of claim 1, further comprising the step of 
forwarding to the client a certificate maintenance download- 
able for causing the client site to monitor the validity period 
of the temporary certificate. 

12. The method of claim 11, wherein the certificate 
maintenance downloadable further enables the client site to 
update the temporary certificate before expiration. 

13. The method of claim 1, further comprising the step of 3Q 
downloading a certificate de-installation downloadable for 
causing the client site to de-install the temporary certificate 
from the client site. 

14. The method of claim 13, wherein the de-installation 
downloadable stores information identifying an unexpired 
temporary certificate in a revocation list. 

15. A system for installing a temporary certificate in a 
client site, comprising: 

a server for receiving a public key from a cheat site; 

a temporary certificate generator coupled to the server for 
generating a temporary certificate containing the public 
key and a validity period; and 

a certificate installation downloadable coupled to the 
server for causing the client site to install the temporary 
certificate, thereby enabling installing of the certificate 
in the client site without requiring network transfer of 
a client private key. 

16. The system of claim 15, wherein the client site is 
unconfigured. 

17. The system of claim 15, wherein the certificate 
installation downloadable enables the client site to install the 
temporary certificate in a web engine. 

18. The system of claim 17, wherein the certificate 
installation downloadable inchides an application program 
interface for communicating with the web engine. 

19. The system of claim 15, further comprising a security 
module coupled to the server for identifying and authenti- 
cating the user at the client site. 

20. The system of claim 15, wherein the server generates 
a secure communications channel with the cUent site. 

21. The system of claim 15, further comprising a key 
generation downloadable for causing the client site to gen- 
erate the public key and a private key. 

22. The system of claim 21, wherein the temporary 
certificate generator receives a validity period duration 
request from the client site and uses the duration request to 
determine the validity period. 
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23. The system of claim 22, wherein the temporary 
certificate generator digitally signs the temporary certificate. 

24. The system of claim 23, wherein the server includes 
a server private key, and the temporary certificate generator 
uses the server private key to digitally sign the temporary 
certificate. 

25. The system of claim 15, further comprising a certifi- 
cate maintenance downloadable coupled to the server for 
causing the client site to monitor the validity window of the 
temporary certificate. 

26. The system of claim 25, wherein the certificate 
maintenance downloadable coupled to the server further 
enables the client site to update the temporary certificate 
before expiration. 

27. The system of claim 15, further comprising a certifi- 
cate de-installation downloadable coupled to the server for 
causing the client site to de-install the temporary certificate 
firom the client site. 

28. The system of claim 27, wherein the de-installation 
downloadable stores information identifying an unexpired 
temporary certificate in a revocation list 

29. A computer-readable storage medium storing program 
code for causing a computer to perform the steps of: 

receiving a public key from a client site; 

generating a temporary certificate containing the pubhc 
key and a validity period; and 

delivering the temporary certificate and a certificate 
installation downloadable to the client site, thereby 
enabling installation of the certificate at the client site 
without requiring network transfer of a client site 
private key. 

30. A method for installing a temporary certificate in a 

web engine, comprising the steps of: 

generating a pubHc key and a private key; 
sending the public key to a certificate authority; 
providing identification and authentication information to 

the certificate authority; 
if identified and authenticated, receiving a certificate 

installation downloadable and a temporary certificate 

having a short validity period from the certificate 

authority; and 

using the certificate installation downloadable to install 
the temporary certificate and the private key in the web 
engine, thereby enabling installing of the certificate at 
a client site corresponding to the web engine without 
requiring network transfer of the private key. 

31. The method of claim 30, wherein the web engine is 
currently unconfigured. 

32. Hie method of claim 30, further comprising the step 
of sending a temporary certificate duration request to the 
certificate authority. 

33. The method of claim 32, wherein the validity period 
is based on the temporary certificate duration request. 

34. A system for installing a temporary certificate on an 
unconfigured web engine, comprising: 

a key generation module for generating a public and 
private key pair; 

a certificate request module for transmitting the pubic key 
to a certificate authority; 

a certificate installation module for instalhng a temporary 
certificate having a short validity period and the private 
key in an unconfigured web engine, thereby creating a 
temporarily configured web engine; and 

a certificate maintenance module for monitoring the short 
validity period to determine if the temporary certificate 
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has expired, thereby enabling installing of the certifi- 
cate at a client site corresponding to the web engine 
without requiring network transfer of the private key, 

35. The system of claim 34, wherein one of the modules 

is part of the web engine. 5 

36. The system of claim 34, wherein one of the modules 
was downloaded from a remote computer. 

37. The system of claim 34, wherein one of the modules 
is a stand-alone apphcation program. 

38. The system of claim 34, further comprising a ccrtifi- lO 
cate de-installation module for de-installing the temporary 
certificate upon expiration. 

39. The system of claim 34, wherein the certificate 
maintenance module enables re-issuing the temporary cer- 
tificate with a new short validity period. 15 

40. The system of claim 34, wherein the certificate request 
module sends a request which inchides the public key and 
identification and authentication information to the certifi- 
cate authority. 

41. A method of generating a self -certified temporary 20 
certificate, comprising the steps of: 

receiving a temporary public key and user-identification 
information from a remote client; 

retrieving a long-term public key certificate and a long- 
term private key from memory; 

packaging the temporary public key, the user- 
identification information, a validity period and the 
long-term public certificate into a package; and 

using the long-term private key to sign the package, 30 
thereby generating a self -certified temporary certificate 
without requiring network transfer of the long-tencn 
private key. 

42. A method of examining a self -certified temporary 
certificate, comprising the steps of: 35 

receiving a self-certified temporary certificate, which 
includes a signature, a validity period, a temporary 
public key, and a long-term public certificate contain- 
ing a long-tenn public key and signed by a certificate 
authority private key associated with a certificate 40 
authority; 

using a well-known public key associated with the cer- 
tificate authority private key to verify the certificate 
authority signing the long-term certificate; 
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using the long-term public key to verify the signature of 
the temporary certificate, and thus to verify the client; 
and 

enabling access to services during the validity period if 
the certificate authority and the temporary certificate 
have been verified, thereby enabling examining of the 
certificate of the client without requiring network trans- 
fer of a client private key. 

43. A method of installing a temporary certificate, com- 
prising the steps of: 

generating a public and private key pair; 

receiving a user-selected certificate duration request; 

packaging the public key and the user-selected certificate 

duration request into a certificate generation request; 
sending the certificate generation request to a certificate 

authority; 

receiving a temporary certificate containing the public key 
and a limited validity period based on the user-selected 
temporary certificate duration request; 

installing the temporary certificate and the private key in 
a web engine, thereby enabling installing of the cer- 
tificate at the client without requiring network transfer 
of the client private key. 

44. A method of generating a temporary certificate, com- 
prising the steps of: 

receiving a certificate generation request containing a 

public key and a user-selected certificate duration 

request from a remote client; 
packaging the public key and a certificate validity period 

based on the user-selected certificate duration request 

into a package; 
signing the package, thereby generating a temporary 

certificate; and 
transmitting the temporary certificate to the remote client, 

thereby enabling generating of the certificate of the 

remote client without requiring network transfer of a 

remote client private key. 

4« i|i m 41 *i> 
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